From patrik.karlsson@ixsecurity.com Tue Jul 24 05:44:20 2001 From: Patrik Karlsson To: bugtraq@securityfocus.com Date: Mon, 23 Jul 2001 10:00:00 -0100 (GMT+1) Subject: iXsecurity.20010618.policy_director.a -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iXsecurity Security Vulnerability Report No: iXsecurity.20010618.policy_director.a ========================================= Vulnerability Summary - ------------------- Problem: Web Seal Policy director does not handle URLs in hex code correct. It is possible to perform web traversals by appending %2e, to access the underlying web server. Threat: It is possible to view all files on the server and exploit some of the web server vulnerabilities. Affected Software: This exposure exists on Tivoli SecureWay Policy Director versions 3.01, 3.6, 3.7 and 3.7.1. Platform: This exposure only occurs on the Tivoli SecureWay Policy Director WebSEAL proxy server, running on any of the Web server operating systems, which consist of: HP-UX,IBM AIX, Sun Solaris, Microsoft Windows NT, or Windows 2000. Solution: Install the patch for Tivoli SecureWay Policy Director. Vulnerability Description - ----------------------- The IBM/Tivoli Web Seal Policy director is supposed to gather all directories on several web servers that users are allowed to access and present them as a logical web server. The policy director is supposed to seal users into pre-defined directories on the web server according to the company policy. If you make connections to the web server on port 80 the Web Seal is answering and tries to lock you into the pre-defined directory. By appending /%2e%2e/%2e%2e you are escaping the policy director and are able to perform directory traversals and viewing most files on the system as well as be able to exploit vulnerabilities in the web server. iXsecurity was able to exploit the good old RDS vulnerability by patching Rain Forest Puppys' msadc.pl script (www.wiretrip.net/rfp). Solution - ------ Install the patch for Tivoli SecureWay Policy Director. This patch is available now and corrects the potential problem by enhancing the URL access control verification being performed. This patch may be downloaded as follows: For registered users, please visit http://www.tivoli.com/support/downloads/ For all other users, please access the FTP server: For version 3.01 ftp://ftp.tivoli.com/support/patches/patches_3.0.1/3.0.1-POL-0001 For version 3.6 ftp://ftp.tivoli.com/support/patches/patches_3.6/3.6-POL-0011 For version 3.7 ftp://ftp.tivoli.com/support/patches/patches_3.7.1/3.7.1-POL-0003 For version 3.7.1 ftp://ftp.tivoli.com/support/patches/patches_3.7.1/3.7.1-POL-0003 Additional Information - -------------------- IBM and Tivoli was contacted 19 June, 2001 This vulnerability was found during a PenTest by Patrik Karlsson and Rikard Carlsson patrik.karlsson@ixsecurity.com rikard.carlsson@ixsecurity.com - ---------------------------- iXsecurity is a Swedish and U.K. based tiger team that has worked with computer-related security since 1982 and done network penetration tests and technical audits since 1995. iXsecurity is hiring in Sweden and the United Kingdom. Call Christer Stafferod on +46(0)8 6621070 ( mailto:christer@ixsecurity.com ) for more information. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBO1gvcu0UT89+sfzcEQIkVACeLD1dUpsCw6oUOvgkYFDyfetwcrgAoPcb 3fngsDbc+EQGVz8Ce/oHrLCa =cFSE -----END PGP SIGNATURE-----